OT Security Roundtable: Navigating the IT-OT-IoT Alignment Challenge

Key takeaways from the discussion

1. OT Challenges – IT and OT Differences

The most fundamental challenge is a knowledge gap. Organizations frequently come to WWT asking about segmentation or access control, but when you dig in, they don't have a basic asset inventory. You can't secure what you don't know exists. 

Compounding this, legacy OT infrastructure is often too old to support modern security tools, and the cultural divide between IT and OT runs deep. IT prioritizes data; OT prioritizes safety and availability. These are different worldviews, and security programs that ignore that distinction fail.

2. IT/OT Collaboration

Historically this has been called IT/OT Convergence or sometimes IT/OT conflict; IT would push their tools and controls into OT environments, and OT would push back, often rightly so. Teams need translators and counselors: helping both sides understand that the same security principles apply, but the application has to be OT-native. 

A compensating control that works in an OT environment will often do more to reduce risk than forcing an IT security control into a place it doesn't belong. Most OT breaches have actually been spillover from IT-side attacks, which makes that collaboration the first line of defense.

3. Visibility, Network Segmentation, and Secure Remote Access

These are sequential building blocks, not independent initiatives. You start with visibility, baselining assets, traffic, and relationships across the OT environment. From there, segmentation gives you guardrails: at minimum, macro-level separation between IT and OT. 

Then secure remote access (SRA) injects identity-based authentication and control into environments that have historically had little to no identity infrastructure. Critically, SRA is about employees but also about controlling how vendors, OEMs, and partners enter the environment, with full auditability of what they did when they got there.

4. A Comprehensive OT Security Program

The biggest failure mode is checkmark security. Organizations react to a competitor incident by throwing technology at it, without the governance structure to make it effective. 

A real OT security program starts with understanding the current "as-is" footprint, mapping to actual business objectives, and building a multi-year roadmap (typically 18-36 months) across domains: visibility, identity, segmentation, resilience, and regulatory compliance where applicable. 

Heavily regulated environments (ie. utilities, oil and gas) have a framework to work from; non-regulated organizations are often on their own and more reactive. Without governance, the controls don't hold.

5. Securing Critical Infrastructure

Critical infrastructure raises the stakes on everything already discussed, and adds dimensions beyond technology: procedural rigor, personnel, and national security implications. These environments often can't take downtime (loss of uptime is loss of revenue, and in some cases, public safety), which is precisely why patching rates in OT still average once a year at best, even as AI is accelerating the speed of exploitation on the attacker side. 

That core challenge hasn't changed in several decades, and isn't going away. The path forward is flexible governance policy, continued investment in compensating controls, and helping organizations understand how to approach it one step at a time.

This 30-minute roundtable is built for security leaders and practitioners working in or adjacent to critical infrastructure and industrial environments.